Skip to content
Furl Docs

CrowdStrike Falcon Spotlight

Connect Furl to CrowdStrike Falcon Spotlight using OAuth2 API credentials for real-time vulnerability assessment of endpoints protected by the Falcon platform.

Description

Section titled “Description”

CrowdStrike Falcon Spotlight provides continuous vulnerability assessment for hosts running the Falcon agent. Furl’s integration imports both the host inventory and the associated vulnerability findings (with CVE details, CVSS scores, and exploit status) into the context graph for prioritization and remediation.

Configuration Steps

Section titled “Configuration Steps”

  1. Create an API Client in the Falcon console

    • Sign in to the CrowdStrike Falcon console.
    • Navigate to Support → API Clients and Keys.
    • Click Add new API client.
    • Give it a meaningful name (e.g., Furl Spotlight Integration).
    • Grant the spotlight-vulnerabilities:read scope.
    • Save and copy the Client ID and Client Secret immediately — the secret is shown only once.

  2. Note your Falcon API base URL

    The base URL depends on the cloud region your CrowdStrike tenant runs in:

    RegionBase URL
    US-1https://api.crowdstrike.com
    US-2https://api.us-2.crowdstrike.com
    EU-1https://api.eu-1.crowdstrike.com
    US-GOV-1https://api.laggar.gcw.crowdstrike.com

    If you’re not sure, check the URL of your Falcon console.

Required Configuration

Section titled “Required Configuration”

Provide the following in Furl:

  • Client ID — Your CrowdStrike API client ID.
  • Client Secret — Your CrowdStrike API client secret.
  • Base URL (optional) — The Falcon API base URL for your region. Defaults to the US-1 endpoint if omitted.

Datasource Configuration

Section titled “Datasource Configuration”

Assets and Vulnerabilities

Section titled “Assets and Vulnerabilities”

The Assets and Vulnerabilities datasource supports the following optional filters:

  • FQL Filter — A Falcon Query Language expression. Useful for narrowing the scope of imported vulnerabilities. Supported fields include status, cve.id, cve.severity, cve.base_score, host_info.platform_name, host_info.tags, etc. Example: status:'open'+cve.severity:'critical'.
  • Status Filter — Filter by vulnerability status. Options: open, closed, reopen, expired. Leave empty to include all statuses.
  • Severity Filter — Filter by CVE severity. Options: critical, high, medium, low, unknown. Comma-separated for multiple values.

Supported Capabilities

Section titled “Supported Capabilities”

Datasources

Section titled “Datasources”
  • Assets and Vulnerabilities → Retrieve hosts and vulnerability findings together using Spotlight’s combined endpoint. Imports both endpoints and vulnerabilities outputs.

Actions

Section titled “Actions”

Currently no actions are supported for this integration.

Troubleshooting

Section titled “Troubleshooting”
  • Verify the API client has the spotlight-vulnerabilities:read scope. Without it the API returns 403.
  • If you see authentication errors, double-check that the Base URL matches your Falcon tenant’s region.
  • Large environments can return many findings on first sync; use FQL or severity filters to narrow scope while you tune the integration.